Unlike some malware and spyware attacks, this is sophisticated, relentless and highly targeted. In particular, Mac users across South East Asia and Japan have been the focus. First identified in 2013 - which doesn't mean it has vanished as there have been more recent reports - IceFog is a program designed to steal data.
It could easily be the work of a hostile nation state. Or similar to other attacks we've seen, a third-party group acting on another countries behalf. Given the fact the attacks have been against industrial, media, technology, defence contractors and supply chain companies, it almost sounds like something out of a spy movie. North Korea, China or Russia could be behind it, and in many cases victims won’t know what has been taken and may not report the fact. For some victims of attacks such as these, people could lose jobs if they're found to be in breach of security procedures. Hostile nations will use any advantage to exploit a vulnerability.
A part of IceFog malware code planted in the infected macOS:
Secrets are valuable, so if you work for a company whereby you’ve got sensitive information on a laptop or phone, it is worth asking to have a VPN installed, or whenever possible, don't send anything through to your personal device. It might help to keep your employer’s or client information safe.
All of this sounds like it could be out of a spy movie. Except in the movies, human officers break into buildings with high-tech gadgets. Now a trojan or virus breaks in using highly coordinated and relentless spear phishing emails.
What is IceFog?
Also known as PrxlA, IceFog has been described as a hit and run APT campaign. Unlike many others, Kaspersky Lab has noticed a few signs that this is a coordinated campaign going after specific targets:
“Perhaps one of the most important aspects of the Icefog C&Cs is the “hit and run” nature. The attackers would set up a C&C, create a malware sample that uses it, attack the victim, infect it, and communicate with the victim machine before moving on. The shared hosting would expire in a month or two and the C&C disappears.
The nature of the attacks was also very focused - in many cases, the attackers already knew what they were looking for. The filenames were quickly identified, archived, transferred to the C&C and then the victim was abandoned.”
Kaspersky closed 13 domains where attacks originated, then started noticing more victims across the US, Canada and UK; far from the original target area of Asia.
Can IceFog be removed manually?
Yes, although with some difficulty.
Attacks such as this will do everything they can to keep the backdoor open, in case the victim has other useful secrets they can grab hold of at a later date.
It will take work, and perhaps a cyber security expert to search through your files to identify aspects of the program that have taken control of your Mac. After that, carefully remove and delete them manually, then restart your Mac. Hopefully the problem will have gone. Although that can’t be guaranteed using the manual method.
Another way is to install CleanMyMac X.
CleanMyMac X is a powerful Mac performance improvement app. It can identify and remove malware and other cyber threats, including IceFog in only a few clicks. One scan and you’re Mac is safe again.
- Download CleanMyMac X (here's a link to a free version)
- Click on the Malware Removal tab;
- Click Scan;
- Click Remove to neutralize the threat.
For many Mac owners, IceFog isn’t a direct threat. Although software such as this is smart, and should its code be released into the wild, other cyber criminals won’t hesitate to exploit the capabilities of something that seems to have been created with state sponsorship and resources. Always be careful when opening emails from sources you don't know and clicking on any attachments, even when it looks legitimate or appears to come from someone you know.